Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/rootkit.kryptic.af


  • This topic is locked This topic is locked
11 replies to this topic

#1 pittipanna

pittipanna

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 20 April 2010 - 01:19 PM

Hi All,

I need some help wth my computer, I hope someone has time for me.

I have NOD32 installed, which puts numerous files in quarantine every time I start up my computer. Here are a few examples (always in the same folder, always sys, but different names):
C:/Windows/system32/drivers/aec.sys
C:/Windows/system32/drivers/wudfrd.sys
C:/Windows/system32/drivers/usbprint.sys

It says they are all win32/rootkit.kryptic.af modified trojans.

I have run a full scan after receiving these messages, and found nothing else.
I have run Malwarebytes' as well, which found and deleted an infected restore point, but nothing else.
Sophos Anti-Rootkit found this file, but was unable to delete it:

C:/Windows/system32/drivers/gsjknbkb.sys

It seems to be very suspicious, as the date of cretion is always changing, and I was not able to remove it maually, not even in safe mode.

So basically that is it.
This is an old acer laptop, fat32, windows xp.

I know the best solution would be to reinstall windows, but unfortunately I don't have the instal CDs with me (I'm studying abroad)

If you need any other information, please let me know.

and thank you for your help and time in advance,

Panna

BC AdBot (Login to Remove)

 


#2 Eric ~ Computer Guy

Eric ~ Computer Guy

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas, TX
  • Local time:10:55 AM

Posted 20 April 2010 - 01:26 PM

QUOTE(pittipanna @ Apr 20 2010, 01:19 PM) View Post
Hi All,

I need some help wth my computer, I hope someone has time for me.

I have NOD32 installed, which puts numerous files in quarantine every time I start up my computer. Here are a few examples (always in the same folder, always sys, but different names):
C:/Windows/system32/drivers/aec.sys
C:/Windows/system32/drivers/wudfrd.sys
C:/Windows/system32/drivers/usbprint.sys

It says they are all win32/rootkit.kryptic.af modified trojans.

I have run a full scan after receiving these messages, and found nothing else.
I have run Malwarebytes' as well, which found and deleted an infected restore point, but nothing else.
Sophos Anti-Rootkit found this file, but was unable to delete it:

C:/Windows/system32/drivers/gsjknbkb.sys

It seems to be very suspicious, as the date of cretion is always changing, and I was not able to remove it maually, not even in safe mode.

So basically that is it.
This is an old acer laptop, fat32, windows xp.

I know the best solution would be to reinstall windows, but unfortunately I don't have the instal CDs with me (I'm studying abroad)

If you need any other information, please let me know.

and thank you for your help and time in advance,

Panna



The C:/Windows/system32/drivers/gsjknbkb.sys seems to be an underlying cause.

Instead of running ComboFix, which is what the mods will probably recommend, I would use TwinFix to do a delete-on-reboot on that file.

TwinFix is made by Trend Micro, and is much more reliable than ComboFix, as ComboFix is most apt to brick your PC than actually help you, as it deletes false-positives and valid-but-hooked DLLs as well.

TwinFix's instructions and downloads can be found here: http://esupport.trendmicro.com/Pages/How-d...is-it-used.aspx

Also try using Trend Micro's Rootkit Buster to help after you run TwinFix on this. Rootkit Buster is a detector, and leaves the removal to you, thus eliminating the ComboFix woes.

Rootkit Buster can be found here: http://free.antivirus.com/clean-up-tools/



#3 pittipanna

pittipanna
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 20 April 2010 - 04:29 PM

Thank you Eric for your help, altough it did not work. sad.gif

gsjknbkb.sys is still there, an there is a new file: yibppz.sys in the same folder as well.


I did run the Rootkit Master you recommended, here is the log:

+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.80.0.1077
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.




Any new ideas?

thx

#4 Eric ~ Computer Guy

Eric ~ Computer Guy

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas, TX
  • Local time:10:55 AM

Posted 20 April 2010 - 04:55 PM

Try using TwinFix to delete both of those .sys files you mentioned. The instructions are listed in my previous post.

#5 pittipanna

pittipanna
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 21 April 2010 - 05:45 AM

I did try TwinFix again, but this time when the computer restarted, a blue srceen appeared (I could not read it, it was only a second) and windows was not able to run. I had to restore the last known good configuration.

The suspicious files are still there:(



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:55 PM

Posted 21 April 2010 - 06:11 AM

Hello pittipanna,

Unlike suggested earlier in this topic we do not recommend Combofix in the Am I Infected forum.

However I would like to have you run a rootkit scan as well as Malwarbytes Antimalware smile.gif

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Please let me know if you still have to use the Last Known Good Configuration to boot or if Normal mode works again.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 pittipanna

pittipanna
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 21 April 2010 - 11:19 AM

Hi, normal mode works again.

Here are the logs, I did gmer first:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-21 13:54:31
Windows 5.1.2600 Szervizcsomag 3
Running: rw4hyonq.exe; Driver: C:\DOCUME~1\Juli\LOCALS~1\Temp\kwrdqpog.sys


---- System - GMER 1.0.15 ----

INT 0x33 ? FD0EB7E4

---- Kernel code sections - GMER 1.0.15 ----

? gsjknbkb.sys Egy rendszerhez csatlakoztatott eszköz nem működik. !
PAGE Fastfat.sys F9663D56 4 Bytes CALL 81EE6641
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF90CAE80]

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\System32\svchost.exe[2384] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 51EC8B55
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 1845DB51
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] F855DD56
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] E8084DDC
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 000004D2
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] FF184589
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 40516015
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] F845DD00
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 8B104DDC
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 1865DAF0
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 0004B9E8
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] 8BC88B00
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] F74199C6
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] C28B5EF9
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 2B08244C
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] 9904244C
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] 8BF9F741
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 244403C2
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] FF56C304
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 40516015
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 244C8B00
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 244403C1
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 15FFC308
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [00405160] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 04244C8B
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] F9F74199
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] FFC3C28B
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 40516015
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 646A9900
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 33F9F759
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 24543BC0
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C09C0F04
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 0204EC81
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 68560000
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 00000100
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] 515815FF
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B590040
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 00FFB8F0
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 8D500000
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] FFFEFC8D
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] C93351FF
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 558D5151
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 8D5052FC
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFDFC85
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 40504415
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 56216A00
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] FFFC75FF
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 40515C15
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 0CC48300
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] C01BD8F7
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] C95EC623
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 458B5151
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 33565308
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 57C88BF6
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 33FC7589
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 01518DFF
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 8441198A
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 2BF975DB
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 802974CA
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 7420063C
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 75FF850A
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 45FF470C
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8506EBFC
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 46C88BFF
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 8A01518D
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] DB844119
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] CA2BF975
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] D772F13B
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 5FFC458B
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C3C95B5E
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 83EC8B55
IAT C:\WINDOWS\System32\svchost.exe[2384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 56530CEC

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom 81EE66F8
Device \Driver\SMBHC \Device\SmbHc SMBCLASS.SYS (SMBus Class Driver/Microsoft Corporation)
Device \FileSystem\Fastfat \Fat 81EE66F8

AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset )

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] gsjknbkb <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gsjknbkb@Type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gsjknbkb@Start 0
Reg HKLM\SYSTEM\ControlSet001\Services\gsjknbkb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\gsjknbkb@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\gsjknbkb@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gsjknbkb@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\gsjknbkb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\gsjknbkb@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\gsjknbkb@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gsjknbkb@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\gsjknbkb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\gsjknbkb@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\gsjknbkb@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gsjknbkb@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\gsjknbkb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\gsjknbkb@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\000b6b5811f8 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gsjknbkb@Type 1
Reg HKLM\SYSTEM\ControlSet005\Services\gsjknbkb@Start 0
Reg HKLM\SYSTEM\ControlSet005\Services\gsjknbkb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet005\Services\gsjknbkb@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b6b5811f8
Reg HKLM\SYSTEM\CurrentControlSet\Services\gsjknbkb@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gsjknbkb@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gsjknbkb@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gsjknbkb@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet007\Services\BTHPORT\Parameters\Keys\000b6b5811f8 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gsjknbkb@Type 1
Reg HKLM\SYSTEM\ControlSet007\Services\gsjknbkb@Start 0
Reg HKLM\SYSTEM\ControlSet007\Services\gsjknbkb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet007\Services\gsjknbkb@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----


And here is Malwarebytes (It is in Hungarian, if you need any help, tell me!):




Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Adatbázis verzió: 3930

Windows 5.1.2600 Szervizcsomag 3
Internet Explorer 6.0.2900.5512

2010.04.21. 15:28:28
mbam-log-2010-04-21 (15-28-28).txt

Vizsgálat típusa: Teljes vizsgálat (C:\|D:\|)
Átvizsgált objektumok: 182442
Eltelt idő: 1 óra, 9 perc, 58 másodperc

Fertőzött memóriafolyamatok: 0
Fertőzött memória modulok: 0
Fertőzött Rendszerleíró kulcsok: 0
Fertőzött Rendszerleíró értékek: 0
Fertőzött Rendszerleíró adatelemek: 0
Fertőzött mappák: 0
Fertőzött fájlok: 4

Fertőzött memóriafolyamatok:
(Nem találhatók rosszindulatú elemek)

Fertőzött memória modulok:
(Nem találhatók rosszindulatú elemek)

Fertőzött Rendszerleíró kulcsok:
(Nem találhatók rosszindulatú elemek)

Fertőzött Rendszerleíró értékek:
(Nem találhatók rosszindulatú elemek)

Fertőzött Rendszerleíró adatelemek:
(Nem találhatók rosszindulatú elemek)

Fertőzött mappák:
(Nem találhatók rosszindulatú elemek)

Fertőzött fájlok:
C:\WINDOWS\system32\drivers\qthawr.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\INFE.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93578BE8-BF0C-4229-A88C-3057C141F020}\RP594\A0116156.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93578BE8-BF0C-4229-A88C-3057C141F020}\RP594\A0116160.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


Thank you again!







#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:55 PM

Posted 21 April 2010 - 11:37 AM

Hello again,

It seems we have a rootkit on board, so I will have to move this thread to the malware removal forum since the tools we have to use are not allowed in the malware removal forum.

We need to use GMER to delete a service and remove the file:
  • Open the gmer folder and double click gmer.exe to run the program
  • On starting GMER will run a short scan, allow it to complete this, then click No if it asks you to run a full scan.
  • Click on the > > > tab to open the menus
  • Click on the Services tab
  • Scroll down until you find the following Service (Note: This may be highlighted in red)

    Service (*** hidden *** ) [BOOT] gsjknbkb

  • Click on the Service Name to Highlight it, then right click and choose Delete...
  • Click OK at the first confirmation dialog to remove the service
  • Click OK to the second confirmation dialog to remove the file
  • Click OK to exit the program
Let me know of any problems you encountered.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 pittipanna

pittipanna
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 21 April 2010 - 05:01 PM

Thank you for your help! Unfortunately it did not work. As soon as I confirmed the deletion on gmer, the blue screen appeared again, and I had to boot to the Last Known Good Configuration.

gsjknbkb.sys still there and alive:((

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:55 PM

Posted 22 April 2010 - 02:06 AM

Okay, that means we need some heavier stuff smile.gif

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:55 PM

Posted 26 April 2010 - 01:50 PM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:55 PM

Posted 04 May 2010 - 11:27 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users